CircleID: DDoShttp://www.circleid.com/topics/
Latest DDoS related postings on CircleIDenCopyright 2017, unless where otherwise noted.2017-08-17T14:21:00-08:00CircleID13045http://www.circleid.com/images/logo_rss.gifhttp://www.circleid.com/
The Internet is Dead - Long Live the Internethttp://www.circleid.com/posts/20170816_the_internet_is_dead_long_live_the_internet/http://www.circleid.com/posts/20170816_the_internet_is_dead_long_live_the_internet/
Back in the early 2000s, several notable Internet researchers were predicting the death of the Internet. Based on the narrative, the Internet infrastructure had not been designed for the scale that was being projected at the time, supposedly leading to fatal security and scalability issues. Yet somehow the Internet industry has always found a way to dodge the bullet at the very last minute.

While the experts projecting gloom and doom have been silent for the good part of the last 15 years, it seems that the discussion on the future of the Internet is now resurfacing. Some industry pundits such as Karl Auerbach have pointed out that essential parts of Internet infrastructure such as the Domain Name System (DNS) are fading from users' views. Others such as Jay Turner are predicting the downright death of the Internet itself.

Looking at the developments over the last five years, there are indeed some powerful megatrends that seem to back up the arguments made by the two gentlemen:

As the mobile has penetrated the world, it has created a shift from browser-based services into mobile applications. Although not many people realize this, the users of mobile apps do not really have to interface the Internet infrastructure at all. Instead, they simply push the buttons in the app and the software is intelligent enough to take care off the rest. Because of these developments, key services in the Internet infrastructure are gradually disappearing from the plain sight of the regular users.

As Internet of Things (IoT) and cloud computing gain momentum, the enterprise side of the market is increasingly concerned about the level of information security. Because the majority of these threats originate from the public Internet, building walls between private networks and the public Internet has become an enormous business. With emerging technologies such as Software-Defined Networking (SDN), we are now heading towards a world littered with private networks that expand from traditional enterprise setups into public clouds, isolated machine networks and beyond.

Once these technology trends have played their course, it is quite likely that the public Internet infrastructure and the services it provides will no longer be directly used by most people. In this sense, I believe both Karl Auerbach and Jay Turner are quite correct in their assessments.

Yet at the same time, both the mobile applications and the secure private networks that move the data around will continue to be highly dependent on the underlying public Internet infrastructure. Without a bedrock on which the private networks and the public cloud services are built, it would be impossible to transmit the data. Due to this, I believe that the Internet will transform away from the open public network it was originally supposed to be.

As an outcome of this process, I further believe that the Internet infrastructure will become a utility that is very similar to the electricity grids of today. While almost everyone benefits from them on daily basis, only electric engineers are interested in their inner workings or have a direct access to them. So essentially, the Internet will become a ubiquitous transport layer for the data that flows within the information societies of tomorrow.

From the network management perspective, the emergence of the secure overlay networks running on top of the Internet will introduce a completely new set of challenges. While network automation can carry out much of the configuration and management work, it will cause networks to disappear from the plain sight in a similar way to mobile apps and public network services. This calls for new operational tools and processes required to navigate in this new world.

Once all has been said and done, the chances are that the Internet infrastructure we use today will still be there in 2030. However, instead of being viewed as an open network that connects the world, it will have evolved into a transport layer that is primarily used for transmitting encrypted data.

The Internet is Dead — Long Live the Internet.

Written by Juha Holkkola, Co-Founder and Chief Technologist at FusionLayer Inc.

]]>2017-08-16T09:38:00-08:00internetaccess_providersbroadbandcloud_computingcybersecuritydata_centerddosdnsdomain_namesinternet_of_thingsinternet_protocolip_addressingipv6mobile_internetnetworkstelecomwebNo One is Immune: Qatar Crisis Started by a Targeted Poli-Cyber Attackhttp://www.circleid.com/posts/20170725_no_one_immune_qatar_crisis_started_by_a_targeted_poli_cyber_attack/http://www.circleid.com/posts/20170725_no_one_immune_qatar_crisis_started_by_a_targeted_poli_cyber_attack/
The Qatar Crisis started with a targeted Poli-Cyber hack of an unprecedented nature. Its shockwaves and repercussions continue to alter political and business fortunes, directions and paradigms not only in the Gulf region but globally.

Almost everyone around the world is now aware of the this crisis that started early June. By mid July a Washington Post report cited US intelligence officials that the UAE orchestrated hacking of Qatari government sites, sparking regional upheaval that started it all.

The one thing that is 100% certain is that the Qatari government sites and its news agency were hacked. I will address attribution in a future post.

Q: What lessons must be learnt by top business and government decision makers worldwide who don't want something similar happening to them you might ask?

A: NO one is immune, especially when you are targeted by political, ideological, religious or destruction motivated Poli-Cyber terrorist hackers.

Fact: The Qataris had brought in the best brains and bought the best and most expensive cyber security solutions money can buy to defend themselves against cyber attacks. Well, these brains and solutions failed to defend Qatar from a targeted and politically motivated cyber attack.

Also, the Qataris adopted and relied, like many governments and organizations all over the world, on cyber strategies and solutions that were "tried and tested". And the more expensive they were the better they were perceived to be.

Little did they know that these same cyber strategies and solutions they bought have been failing routinely in the last couple of years and on a global and unprecedented scales. A costly lesson that Qatar and the Gulf States will one day measure in the trillions not billions of dollars.

Written by Khaled Fattal, Group Chairman, The Multilingual Internet Group

]]>2017-07-25T12:30:00-08:00internetcyberattackcybercrimecybersecurityddosinternet_governanceinternet_of_thingsmalwarepolicy_regulationU.S. Critical Infrastructure Will Be Attacked Within 2 Years, According to 2017 Black Hat Surveyhttp://www.circleid.com/posts/20170711_us_critical_infrastructure_will_be_attacked_within_2_years/http://www.circleid.com/posts/20170711_us_critical_infrastructure_will_be_attacked_within_2_years/
According to a 2017 Black Hat Attendee Survey, cyberattacks on U.S. enterprise and critical infrastructure are coming soon, and in most cases defenders are not prepared. Published for this year's Black Hat event in Las Vegas, a report titled "Portrait of an Imminent Cyberthreat," portrays a dark picture of tomorrow's cyber defenses. "In essence, the survey is a warning from the industry's most experienced and responsible IT security professionals that successful cyber attacks on essential infrastructure and business could be imminent, but defenders do not have the resources and training they need to efficiently respond."

Other findings from the survey include:

— 60% of respondents believe that a successful cyber attack on US critical infrastructure will occur in the next two years. Only 26% are confident that U.S. government and defense forces are equipped and trained to respond appropriately.

— 69% of IT security professionals believe that state-sponsored hacking from countries such as Russia and China has made US enterprise data less secure.

— Only 26% of information security pros believe that the new White House administration will have a positive impact on cybersecurity policy, regulation, and law enforcement over the next four years.

— About two-thirds of respondents think it's likely that their own organizations will have to respond to a major security breach in the next 12 months. Sixty-nine percent say they don't have enough staff to meet the threat; 58% believe they don't have adequate budgets.

— IT security professionals' greatest concerns are around phishing and social engineering (50%) and sophisticated attacks targeted directly at their own organizations (45%).

— The increased use of ransomware remains the most serious new threat faced by cybersecurity professionals, cited by 36% of respondents.

]]>2017-07-11T14:46:00-08:00internetcyberattackcybercrimecybersecurityddosmalwarePetya Ransomware Spreading Rapidly Worldwide, Effecting Banks, Telecom, Businesses, Power Companieshttp://www.circleid.com/posts/20170627_petya_ransomware_spreading_rapidly_worldwide/http://www.circleid.com/posts/20170627_petya_ransomware_spreading_rapidly_worldwide/
Supermarket 'Rost' in Kharkiv, East Ukraine – all the payment terminals appear to have been hit by the Petya ransomeware. (Photo posted on Twitter this morning by Mikhail Golub / @golub)

A large scale ransomware attack today is spreading rapidly worldwide, shutting down computers at corporates, power supplies, and banks across Russia, Ukraine, Spain, France, UK, India, and Europe and demanding $300 in bitcoins. Multiple sources are reporting that this variant of Petya ransomeware, also known as Petwrap, is using the WannaCry vulnerability that had infected close to 300,000 systems and servers worldwide last month. Swati Khandelwal reporting in The Hacker News: "Infected users are advised not to pay the ransom because hackers behind Petya ransomware can't get your emails anymore. Posteo, the German email provider, has suspended the email address i.e. wowsmith123456@posteo.net, which was used by the criminals to communicate with victims after getting the ransom to send the decryption keys. At the time of writing, 23 victims have paid in Bitcoin to '1Mz7153HMuxXTuR2R1t78mGSdzaAtNbBWX' address for decrypting their files infected by Petya, which total roughly $6775."

— "Petya ransomware has already infected Russian state-owned oil giant Rosneft, Ukrainian state electricity suppliers, Kyivenergo and Ukrenergo, in the past few hours. ... There are reports from several banks, including National Bank of Ukraine (NBU) and Oschadbank, as well as other companies confirming they have been hit by the Petya ransomware attacks." –The Hacker News

— Brad Duncan from The Internet Storm Center, Examining the new Petya variant: "Petya is a ransomware family that works by modifying the infected Windows system's Master Boot Record (MBR). Using rundll32.exe with #1 as the DLL entry point, I was able to infect hosts in my lab with the above two DLL samples. The reboot didn't occur right away. However, when it did, my infected host did a CHKDSK after rebooting. After CHKDSK finished, the infected Windows host's modified MBR prevented Windows from loading. Instead, the infected host displayed a ransom message."

— One of the largest health networks in western Pennsylvania, Heritage Valley Health System reports "cyber security incident" has affected all operations at its two hospitals and 18 satellite centers but has not yet confirmed whether the incident is linked to the Petya ransomware.

— DLA Piper Victim of Massive Malware Attack: "The global law firm DLA Piper fell victim on Tuesday to a widespread cyber attack, which reportedly disabled networks at dozens of companies. By midday, the firm posted a statement on its website, which remained functional, confirming it suffered a malware attack." Bloomberg Law / 27 Jun 2017, 1:19 PM

— "Organizations and individuals who have not yet applied the Windows update for the Eternal Blue exploit should patch now." Brian Krebs writes: "However, there are indications that Petya may have other tricks up its sleeve to spread inside of large networks. Russian security firm Group-IB reports that Petya bundles a tool called 'LSADump,' which can gather passwords and credential data from Windows computers and domain controllers on the network."

— A.P. Moller-Maersk, the transport and logistics company, has confirmed that its IT systems are down across multiple sites and business units. This has affected various operations including India's largest container port JNPT. The company has stated that AP Moller-Maersk, one of the affected entities globally, operates the Gateway Terminals India (GTI) at JNPT, which has a capacity to handle 1.8 million standard container units. 27 Jun 2017, 1:40 PM

— Hackers behind today's massive ransomware outbreak can't get emails from victims who paid. "A German email provider has closed the account of a hacker behind the new ransomware outbreak, meaning victims can't get decryption keys. ... email company the hacker happened to use, Posteo, says it has decided to block the attacker's account, leaving victims with no obvious way to unlock their files." Joseph Cox reporting in Motherboard / 27 Jun 2017, 1:46 PM

— Petya Ransomware Outbreak Originated in Ukraine via Tainted Accounting Software. Catalin Cimpanu, reporting in BleepingComputer: "Today's massive ransomware outbreak was caused by a malicious software update for M.E.Doc, a popular accounting software used by Ukrainian companies. ... The Ukrainian software vendor appears to have inadvertently confirmed that something was wrong when, this morning, issued a security advisory ... Hours later, as the ransomware outbreak spread all over Ukraine and other countries across the globe, M.E.Doc denied on Facebook its servers ever served any malware."

]]>2017-06-27T12:23:00-08:00internetcyberattackcybercrimecybersecurityddosmalwareSouth Korean Banks Receive DDoS Threat from Hacker Group, Record Ransomware Payment Demandedhttp://www.circleid.com/posts/20170627_south_korean_banks_receive_ddos_threat_from_hacker_group/http://www.circleid.com/posts/20170627_south_korean_banks_receive_ddos_threat_from_hacker_group/
Many sources including South Korea's news agency Yonhap are reporting that a hacker group has threatened to launch a DDoS attack against seven South Korean banks unless they pay about 360 million won (US$315,000) in bitcoin. The hacker group, known as Armada Collective, has threatened KB Kookmin Bank, Shinhan Bank, Woori Bank, KEB Hana Bank, NH Bank and two other lenders. Zeljka Zorz reporting in Help Net Security writes: "Choi Sang-Myung, a researcher at South Korean's Hauri Labs, noted that these latest threats might have been a consequence of the recent successful extortion attempt of South Korean web hosting provider Nayana. ... The deadline for the announced attacks was this Monday. The websites of the aforementioned banks are online and working, but whether it's because they paid the requested amount or because they managed to twart the DDoS attacks is impossible to tell."

— Update: New report from BBC, "Global ransomware attack causes chaos ... Companies across the globe are reporting that they have been struck by a major ransomware cyber-attack. ... Experts suggest the malware is taking advantage of the same weaknesses used by the Wannacry attack last month. ... Kaspersky Lab reported that it believed the malware was a 'new ransomware that has not been seen before' despite its resemblance to Petya."

— Petya is a ransomware with an evil twist:F-Secure: "Instead of encrypting files on disk, it will lock the entire disk, rendering it pretty much useless. Specifically, it will encrypt the filesystem’s master file table (MFT), which means the operating system is not able to locate files. It installs itself to the disk’s master boot record (MBR) like a bootkit. But instead of covert actions, it displays a red screen with instructions on how to restore the system."

— "A South Korean hosting firm just paid $1m to get their data back and that's a huge incentive. It's the biggest incentive you could offer to a cyber-criminal." Andrei Barysevich at security firm Recorded Future told BBC

]]>2017-06-27T11:02:00-08:00internetcyberattackcybercrimecybersecurityddosFBI, DHS Release Technical Details on North Korea’s DDoS Botnet Infrastructurehttp://www.circleid.com/posts/20170613_fbi_dhs_release_technical_details_on_north_korea_ddos_methods/http://www.circleid.com/posts/20170613_fbi_dhs_release_technical_details_on_north_korea_ddos_methods/
U.S. Department of Homeland Security (DHS) and the FBI today released a technical alert based joint-effort analysis of methods behind North Korea’s cyberattacks. From today's release: "This alert provides technical details on the tools and infrastructure used by cyber actors of the North Korean government to target the media, aerospace, financial, and critical infrastructure sectors in the United States and globally. ... DHS and FBI identified Internet Protocol (IP) addresses associated with a malware variant, known as DeltaCharlie, used to manage North Korea’s distributed denial-of-service (DDoS) botnet infrastructure. This alert contains indicators of compromise (IOCs), malware descriptions, network signatures, and host-based rules to help network defenders detect activity conducted by the North Korean government. The U.S. Government refers to the malicious cyber activity by the North Korean government as HIDDEN COBRA."
]]>2017-06-13T15:11:00-08:00internetcyberattackcybersecurityddosmalwareCanadian Internet Registration Authority Launches Cloud-Based DNS Firewall Servicehttp://www.circleid.com/posts/20170609_cira_launches_cloud_based_dns_firewall_service/http://www.circleid.com/posts/20170609_cira_launches_cloud_based_dns_firewall_service/
The Canadian Internet Registration Authority (CIRA) has announced the launch of a security service called D-Zone DNS Firewall — a cloud-based cybersecurity solution — to protect Canadian organizations from rasomware and malware. CIRA has partnered with Nominum, provider of recursive DNS technology, to build the first of what it calls a made-in-Canada DNS Firewall solution. "The service operates in Canadian Internet exchange points and functions as a high-performance, policy-enabled recursive DNS service to ensure that organizations using the DNS Firewall maintain or even improve user experience through faster web and application access." The company says its service will help organizations block access to malicious content before it can reach their network and malware is prevented from using its command and control servers for execution.
]]>2017-06-09T06:46:00-08:00internetcloud_computingcyberattackcybercrimecybersecurityddosdnsmalwareNTIA Issues RFC, Asks for Input on Dealing With Botnets and DDoS Attackshttp://www.circleid.com/posts/20170608_ntia_issues_rfc_asks_input_to_deal_with_botnets_and_ddos_attacks/http://www.circleid.com/posts/20170608_ntia_issues_rfc_asks_input_to_deal_with_botnets_and_ddos_attacks/
NTIA issued a Request for Comments today asking for broad input from "all interested stakeholders, including private industry, academia, civil society, and other security experts," on actions against botnets and distributed attacks. "The goal of this RFC is to solicit informed suggestions and feedback on current, emerging, and potential approaches for dealing with botnets and other automated, distributed threats and their impact." Although the department has expressed interested in all aspects of this issue, it has indicated particular interest in two broad approaches where substantial progress can be made. They are:

— Attack Mitigation: "Minimizing the impact of botnet behavior by rapidly identifying and disrupting malicious behaviors, including the potential of filtering or coordinated network management, empowering market actors to better protect potential targets, and reducing known and emerging risks."

— Endpoint Prevention: "Securing endpoints, especially IoT devices, and reducing vulnerabilities, including fostering prompt adoption of secure development practices, developing practical plans to rapidly deal with newly discovered vulnerabilities, and supporting adoption of new technology to better control and safeguard devices at the local network level."

]]>2017-06-08T15:40:00-08:00internetcyberattackcybersecurityddosConventional Thinking Won't Work in New Era of ISIS &amp; 'Unprecedented' Cyber &amp; Non-Cyber Attackshttp://www.circleid.com/posts/20170601_conventional_thinking_wont_work_in_new_era_of_isis_cyberattack/http://www.circleid.com/posts/20170601_conventional_thinking_wont_work_in_new_era_of_isis_cyberattack/
Conventional thinking or solutions will no longer work in the new era of ISIS and the 'Unprecedented' cyber and non-cyber attacks we live in today. Like it or not, everyone is impacted, and no one is immune. Whether you are an average citizen, a chairman or CEO of a multinational, or a government or academic institution leader, the questions to ponder are: Do you know what to do next? Do you know what the solution is?

This new era is already upon us, and it has already changed our lives and the way we live and do things dramatically, and this impact will continue to worsen for the foreseeable future if we don't change the way we do things. What is very worrying is that all the signs indicate that majority of leaders and top decision makers are either unaware, too slow to act and adapt or simply don't know what to do next.

ISIS has been using the Internet to great success to cyber attack us, promote its hate agenda, and to recruit new followers to commit cyber and non-cyber terrorist acts in their name. Recently they have been teaching followers online how to lure innocent people to murder and slaughter them and commit the unthinkable.

Many recent terrorist attacks such as those in Nice, and Paris France, San Bernadino, California, Belgium's Brussels train station and in Manchester England were all either organized, perpetrated or inspired by ISIS and its hate agenda.

More critically, cyber also became ISIS's new war frontier to unleash its destruction motivation on the world since 2015. And their cyber war on us will rise exponentially in the very near future.

Equally alarming is that traditional cyber strategies are failing on daily basis and at unprecedented scales. The unsophisticated WannaCry Ransomware attack on May 12, 2017, hit more than 150 countries causing great damage and chaos all over the world especially the UK and its NHS. On December 14, 2016, Yahoo announced 1 Billion user accounts were hacked back in 2013. Yahoo's sale price to Verizon was slashed by $350 million as a result of that breach reflecting almost a 10% loss of value. On October 21st, 2016, the Mirai botnet was used in the largest DDoS attack of its kind ever. It targeted DNS provider Dyn and shut down Twitter, the New York Times, PayPal, Etsy, Shopify, Netflix, Soundcloud, Spotify, and others. It hit on an unprecedented scale, with clear "Geo-Political" motivation to damage 'Trust', a critical pillar of our socio-economic model. The TV5Monde French TV station cyber hack June 2015 was claimed by "CyberCaliphate" on behalf of ISIS. And in early February 2017 ISIS attacked many NHS trusts defacing and destroying many websites and servers.

If all this does not act as a wakeup call that everything has changed and that things now have to be done differently and innovatively, then nothing else will.

This new and grave responsibility cannot be punted down to the IT or cyber security department but now falls squarely on the shoulders of leaders, top decision makers, and their boards. They need to come to terms with this alarming new era and ask for outside help on how to mitigate these new cyber and non-cyber threats before they are breached, crippled or even destroyed.

Simply relying on governments' guidance on 'best practice', or on being 'compliant' to new regulations is 'nice' and a 'lovely' check box filler, but is most certainly not enough and will not work. Survivability is now at stake.

Just remember that it was not the UK's new National Cyber Security Center that cost 1.9 Billion taxpayer pounds that stopped the WannaCry attack on the NHS, it was a 22-year-old IT dropout who discovered the solution and registered a $10 domain name to stop the attacks.

One bit of good news: those who do act in time will give themselves a unique opportunity to turn this it into competitive advantage for years to come.

Dr. Vint Cerf, known globally as one of the fathers of the Internet, once said few years ago: "Adapt or Die". He was right back then and so right today.

Only those who adapt ASAP and before they are breached can survive the traditional and destruction motivated cyber- and non-cyber-terrorism and this new era of the 'unprecedented'. As to the others, well, I don't think prayers can help.

I leave you with these other questions to ponder:

Does your organization know what to do next to survive in this new era?
Do you know how to turn these new threats into a competitive advantage?
Or,
Will you be the next victim to be crippled or destroyed?

Written by Khaled Fattal, Group Chairman, The Multilingual Internet Group

]]>2017-06-01T07:58:00-08:00internetcyberattackcybersecurityddosAttacks Decrease by 23 Precent in 1st Quarter While Peak Attack Sizes Increase: DDoS Trends Reporthttp://www.circleid.com/posts/20170525_attacks_decrease_by_23_precent_in_q1_peak_attack_sizes_increase/http://www.circleid.com/posts/20170525_attacks_decrease_by_23_precent_in_q1_peak_attack_sizes_increase/
Multi-Vector DDoS Attacks are the Norm – Fifty-seven percent of DDoS attacks mitigated by Verisign in Q1 2017 employed multiple attack types. Verisign observed DDoS attacks targeting victim networks at multiple network layers and attack types changing over the course of DDoS events, thus requiring continuous monitoring to optimize the mitigation strategy. Download Full ReportVerisign has released its latest DDoS Trends Report for the first quarter of this year representing a unique view into the attack trends unfolding online. DDoS Trends Report is based on observations and insights derived from distributed denial of service (DDoS) attack mitigations enacted on behalf of Verisign DDoS Protection Services.

The largest volumetric and highest intensity DDoS attack observed by Verisign in Q1 2017 was a multi-vector attack that peaked over 120 Gbps and around 90 Million packets per second (Mpps). This attack sent a flood of traffic to the targeted network in excess of 60 Gbps for more than 15 hours. The attack was notable because the attackers were persistent, sending attack traffic on a daily basis for over two weeks. The attack consisted primarily of TCP SYN and TCP RST floods of varying packet sizes and employed one of the signatures associated with the Mirai IoT botnet. The event also included UDP floods and IP fragments which increased the volume of the attack.

TCP-based attacks were the second most common attack vector, making up 33 percent of attack types in the quarter.

The IT/Cloud/SaaS industry, representing 58 percent of mitigation activity, was the most frequently targeted industry for the tenth consecutive quarter. The Financial Sector industry experienced the second highest number of DDoS attacks, representing 28 percent of mitigation activity. This is a large increase from the 7 percent mitigation during the prior quarter.

]]>2017-05-25T08:26:01-08:00internetcyberattackcybercrimecybersecurityddosnetworksSorry, Not Sorry: WHOIS Data Must Remain Publichttp://www.circleid.com/posts/20170427_sorry_not_sorry_whois_data_must_remain_public/http://www.circleid.com/posts/20170427_sorry_not_sorry_whois_data_must_remain_public/
In March, I posted a call to action to those of us in the community who have the inclination to fight against a movement to redact information critical to anti-abuse research. Today, I felt compelled to react to some of the discussions on the ICANN discussion list dedicated to the issue of WHOIS reform:

Sorry, not sorry: I work every working hour of the day to protect literally hundreds of millions of users from privacy violating spam, phish, malware, and support scams.

Should access to WHOIS data be redacted in any way beyond what it is at present, my work will be made impossible. I spend 90% of my day in WHOIS data, the other 10% sculpting the data in a manner to provide reason and proof to hosting provider and registrars to take action against real-life criminals on their networks.

I also prepare cases for law enforcement to act upon. Contrary to popular belief in some quarters, LE cannot possibly begin to know about the stuff I (and my many, many colleagues) see until we tell them. That's how it works. Any of the big botnet and crime ring take-downs and arrests you've ever seen have involved a public-private collaboration between individuals, researchers such as myself, and law enforcement.

So, I'd like to issue congratulations to all those who want to redact. You will, without a single iota of uncertainty, will expose many more people to real — not potential or hypothetical — privacy issues of a far more serious nature than you could possibly imagine, all in the badly mangled, misguided, and muddleheaded notion of what privacy actually is in the real world. 'Cut off your nose to spite your face' has never been more apt.

I hope you tell your Mom, family and your friends what you are trying to do here, while I spend my time trying to protect them from real evil: Revenge porn. Identity Theft. Plain old theft. Stalking. Photographic representation of the rape of children. Trolling, leading to the destruction of people's lives. Emptied bank accounts.

Tell them you don't want me to be able to do my job, and that you are trying to make it impossible, because you think access to the data that has been public and without challenge under the world's privacy laws for twenty years is better off limited to the point of uselessness, sacrificed on some misshapen altar of privacy.

If I sound angry at what you are attempting to do, then I've hit my mark. I am furious. The security sector is furious. We are terrified that you may have any degree of success in this regard, because you apparently don't know, or don't care what the actual results will be. Placating with 'gated access' means there will be some among my peers and colleagues, far more talented and effective than I, who simply cannot gain access, and the resulting mess will be on your head, and at risk of overstating my case, the blood on your hands.

So again, congratulations. Mother's Day is coming up. Be sure to make mention of this in the card you send. Now, if you'll excuse me, I'll go back to diving in the data lake of WHOIS, trying to keep spam and far worse evil off've your network.

]]>2017-04-27T06:20:00-08:00internetcyberattackcybercrimecybersecurityddosdnsspamwhoisPermanent Denial-of-Service Attacks on the Rise, Incidents Involve Hardware-Damaging Assaultshttp://www.circleid.com/posts/20170408_permanent_denial_of_service_attacks_on_the_rise/http://www.circleid.com/posts/20170408_permanent_denial_of_service_attacks_on_the_rise/
Also known loosely as "phlashing" in some circles, Permanent Denial-of-Service (PDoS) is an increasing popular form of cyberattack that damages a system so badly that it requires replacement or reinstallation of hardware. "By exploiting security flaws or misconfigurations, PDoS can destroy the firmware and/or basic functions of system," report researchers from security firm, Radware. "It is a contrast to its well-known cousin, the DDoS attack, which overloads systems with requests meant to saturate resources through unintended usage. ... Over a four-day period, Radware's honeypot recorded 1,895 PDoS attempts performed from several locations around the world. Its sole purpose was to compromise IoT devices and corrupt their storage. ... Upon successful access to the device, the PDoS bot performed a series of Linux commands that would ultimately lead to corrupted storage, followed by commands to disrupt Internet connectivity, device performance, and the wiping of all files on the device."
]]>2017-04-08T14:13:00-08:00internetcyberattackcybersecurityddosinternet_of_thingsSo Long, Farewell: The Worst DDoS Attacks of 2016http://www.circleid.com/posts/20170228_so_long_farewell_the_worst_ddos_attacks_of_2016/http://www.circleid.com/posts/20170228_so_long_farewell_the_worst_ddos_attacks_of_2016/
The year 2016 will go down in infamy for a number of reasons. It was the year an armed militia occupied an Oregon wildlife refuge, Britain voted to Brexit, an overarching event that will simply be referred to as The Election occurred, and Justin Bieber made reluctant beliebers out of all of us.

What happened: Following the release of the Legion expansion to the mega-popular World of Warcraft game in August, Blizzard Entertainment was slammed with three distributed denial of service attacks in August and another one in September.

The DDoS details: While the company has not released specifics on the attacks, the modus operandi was standard for taking aim at a gaming company: wait until the servers are overloaded with users excited about a new game or expansion, then push those servers over the brink with malicious traffic. DDoS for hire service PoodleCorp has claimed responsibility.

The damage done: These attacks affected not only World of Warcraft players, but people trying to use the Blizzard platform for other games, including Diablo III and Overwatch. Gamers are known for their emotional reactions to outages, which is one of the reasons gaming platforms are frequently targeted, and PoodleCorp succeeded in causing widespread anger over Blizzard's failure to protect their platform from DDoS attacks once again.

The lesson that needs to be learned: website or platform users don't get used to DDoS-related outages, they get increasingly angry over them. Gaming platforms are at a disadvantage due to their overworked servers, the single point of failure nature of their systems, and the emotional reactions of their users.

The jewelry store hold-up

What happened: In June a brick and mortar jewelry store had their website taken offline for days by a distributed denial of service attack. They got their website restored, only to have it knocked offline again.

The DDoS details: As small as the jewelry store may have been, this is big news since the attack came from a botnet fully made up of CCTV cameras, 25,000 of them, sending 50,000 requests per second.

The damage done: This wasn't a large-scale attack affecting hundreds of thousands of people like the others in this list, but what makes it stand out was that it was one of the first known uses of an IoT botnet that used only CCTV devices.

The lesson that needs to be learned: As the world becomes increasingly connected, DDoS attackers are amassing more and more weapons. There are two lessons here: secure your IoT devices by changing the default passwords, and get professional DDoS mitigation if your website does not have it. There are simply too many opportunities for attackers now.

The Mirai deluge

What happened: This is actually a set of three separate attacks, all coming courtesy of the Mirai botnet. First computer security blogger Brian Krebs had his site rendered useless by a 620 Gbps attack in September. Days later French hosting provider OVH was hit with a 1 Tbps attack. The biggest one came in October: the Dyn DNS provider was slammed by a 1.2 Tbps attack that knocked major websites and platforms offline, including Netflix, Twitter and PayPal.

The DDoS details: It's hard to get a handle on just how big the Mirai botnet is, but security experts agree it's an IoT botnet consisting of well over 100,000 devices capable of throwing attack traffic from tens of millions of IP addresses. Due to the sheer number of devices in this botnet, its attackers tend to use it for distributed denial of service flooding attacks.

The damage done: Each of these three DDoS attacks held the title of biggest ever, at least until the next one came along. The Dyn attack reigns supreme, for now. The Dyn attack was one of the first DDoS attacks to grab the attention of the public due to the high-profile nature of the websites and platforms affected. It became such a major news story that the White House had to give multiple briefings and updates on it.

The lesson that needs to be learned: IoT botnets are currently grabbing headlines for these staggering attacks, but the average website owner needs to know that the biggest use of these botnets is assuredly going to be as DDoS for hire services. That means the extraordinary power of these botnets can be rented for a nominal fee, and everyone is a potential target.

Make no mistake about it. We haven't even begun to scratch the surface of what went on in DDoS attacks this year. As ugly as this round-up is, next year's is likely only going to be worse. May a new Justin Bieber album soothe us all!

Distributed Denial-of-Service (DDoS) attacks will become larger in scale, harder to mitigate and more frequent, says Deloitte in its annual Global Predictions 2017 report. It predicts "there will be on average a Tbit/s (terabit per second) attack per month, over 10 million attacks in total, and an average attack size of between 1.25 and 1.5 Gbit/s (gigabit per second) of junk data being sent. An unmitigated Gbit/s attack (one whose impact was not contained), would be sufficient to take many organizations offline."

— Anticipated escalation in DDoS threat is based on three concurrent trends: the growing installed base of insecure Internet of Things (IoT) devices; the online availability of malware methodologies, such as Mirai, which allow relatively unskilled attackers to corral insecure IoT devices and use them to launch attacks; and the availability of ever higher bandwidth speeds.

— Entities that should remain particularly alert, according to the report, include: retailers with a high share of online revenues; online video games companies; video streaming services; online business and service delivery companies (financial services, professional services); and government online services (for example, tax collection).

The report also shares a range of options that companies and governments should consider to mitigate the impacts of DDoS attacks – they include: decentralizing, bandwidth oversubscription, testing, dynamic defense among others. (Full report available here)

]]>2017-02-22T15:10:01-08:00internetcyberattackcybersecurityddosinternet_of_thingsBlocking a DDoS Upstreamhttp://www.circleid.com/posts/20170214_blocking_a_ddos_upstream/http://www.circleid.com/posts/20170214_blocking_a_ddos_upstream/
In the first post on DDoS, I considered some mechanisms to disperse an attack across multiple edges (I actually plan to return to this topic with further thoughts in a future post). The second post considered some of the ways you can scrub DDoS traffic. This post is going to complete the basic lineup of reacting to DDoS attacks by considering how to block an attack before it hits your network — upstream.

The key technology in play here is flowspec, a mechanism that can be used to carry packet level filter rules in BGP. The general idea is this — you send a set of specially formatted communities to your provider, who then automagically uses those communities to create filters at the inbound side of your link to the 'net. There are two parts to the flowspec encoding, as outlined in RFC5575bis, the match rule and the action rule. The match rule is encoded as shown below:

There are a wide range of conditions you can match on. The source and destination addresses are pretty straight forward. For the IP protocol and port numbers, the operator sub-TLVs allow you to specify a set of conditions to match on, and whether to AND the conditions (all conditions must match) or OR the conditions (any condition in the list may match). Ranges of ports, greater than, less than, greater than or equal to, less than or equal to, and equal to are all supported. Fragments, TCP header flags, and a number of other header information can be matched on, as well.

Once the traffic is matched, what do you do with it? There are a number of rules, including:

Controlling the traffic rate in either bytes per second or packets per second

Redirect the traffic to a VRF

Mark the traffic with a particular DSCP bit

Filter the traffic

If you think this must be complicated to encode, you are right. That's why most implementations allow you to set pretty simple rules, and handle all the encoding bits for you. Given flowspec encoding, you should just be able to detect the attack, set some simple rules in BGP, send the right "stuff" to your provider, and watch the DDoS go away. ...right… If you have been in network engineering since longer than "I started yesterday," you should know by now that nothing is ever that simple.

If you don't see a tradeoff, you haven't looked hard enough.

First, from a provider's perspective, flowspec is an entirely new attack surface. You cannot let your customer just send you whatever flowspec rules they like. For instance, what if your customer sends you a flowspec rule that blocks traffic to one of your DNS servers? Or, perhaps, to one of their competitors? Or even to their own BGP session? Most providers, to prevent these types of problems, will only apply any flowspec initiated rules to the port that connects to your network directly. This protects the link between your network and the provider, but there is little way to prevent abuse if the provider allows these flowspec rules to be implemented deeper in their network.

Second, filtering costs money. This might not be obvious at a single link scale, but when you start considering how to filter multiple gigabits of traffic based on deep packet inspection sorts of rules — particularly given the ability to combine a number of rules in a single flowspec filter rule — filtering requires a lot of resources during the actual packet switching process. There is a limited number of such resources on any given packet processing engine (ASIC), and a lot of customers who are likely going to want to filter. Since filtering costs the provider money, they are most likely going to charge for flowspec, limit which customers can send them flowspec rules (generally grounded in the provider's perception of the customer's cluefulness), and even limit the number of flowspec rules that can be implemented at any given time.

There is plenty of further reading out there on configuring and using flowspec, and it is likely you will see changes in the way flowspec is encoded in the future. Some great places to start are:

One final thought as I finish this post off. You should not just rely on technical tools to block a DDoS attack upstream. If you can figure out where the DDoS is coming from, or track it down to a small set of source autonomous systems, you should find some way to contact the operator of the AS and let them know about the DDoS attack. This is something Mara and I will be covering in an upcoming webinar over at ipspace.net — watch for more information on this as we move through the summer.